Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Retailers Realize EMV Won't Save Them From Fraudsters

Fraudsters hit retailers harder than ever in 2014 and many recognize that even though EMV's chip-and-pin authentication will stem skimming, breaches and other forms of fraud will persist.

As mega data breaches at retailers like Target and Home Depot continue to rock the retail industry in 2014, many merchants are facing the music with higher-than-ever rates of fraud and monetary losses that follow. And while some champions have sung the praises of the chip-and-PIN authentication method that will be instituted with the implementation more advanced physical cards through the rollout of EMV. But the industry is recognizing that hackers, identity thieves, and other criminals are so firmly entrenched with advanced technology and an understanding of card payment systems that EMV is only going to create a whack-a-mole situation. The expectation remains that as in-store fraud will diminish, card-not-present fraud will shoot up.

In a report out this month, analysts with LexisNexis found that merchants are paying 33% more in fraud losses this year than last. Not only are these merchants incurring losses from fraud itself, they're often incurring fees and other costs -- with an average of an additional $3.08 lost per dollar of fraud. And at the moment the increase in losses is felt most acutely by large online merchants. Even as they've experienced a $30 billion windfall from increased revenue in 2014, $255 million of it has been eaten up by fraud. Fraud rates this year have increased at double the rate at these online merchant organizations compared to others.

And as the ripple effects of EMV start to present themselves, it is likely that this impact to e-commerce will only intensify. Designed to sunset dreadfully insecure mag-stripe technology and make it difficult for attackers to create and use counterfeit cards out of breached card information, EMV technology uses a circuit-board chip on the card to authenticate with the retailer. EMV has already drastically reduced in-store fraud at European merchants. But the technology does nothing to prevent fraud in situations where the physical card is not used.

And with so much money at stake, retailers recognize that fraudsters are going to set their targets elsewhere within the payment ecosystem.

"Fraudsters have to eat just like you and me, so the fraud is going to go somewhere, and it will be interesting to see where it goes," one unnamed executive at a mid-sized card-issuing institution told LexisNexis.

This seems to be an increasingly pervasive view across the industry, as more security evangelists tout EMV as just one critical layer in securing the point of sale. According to Stephen Orfei, general manager of the PCI Security Standards Council, the PCI Council is encouraging organizations to embrace a host of technologies to make card data less valuable to criminals.

"If you have EMV at the POS, point-to-point encryption back to the acquiring environment, and tokenization implemented properly, you have the opportunity to devalue the data and make it useless in the hands of undesirables," Orfei says.

The encryption and tokenization elements are very important, because as Lucas Zaichkowsky, enterprise defense architect for the forensics and security firm AccessData, explains, EMV readers still allow card number and expiration data to be stored unencrypted during parts of the transaction.

"The proponents of EMV, they either don't understand it or they are some special interest group that's pushing it through because that's their job and they just kind of skirt around telling people, 'By the way, you should still encrypt this stuff because it has the card number and expiration data in plain text,'" he says.

In the meantime, retailers shouldn't wait around for EMV to start instituting extra layers of security. In fact, LexisNexis believes that until the payment companies start enforcing EMV deployment more stringently in 2015, many criminals are going to try to use that window to commit as much fraud as possible at the POS terminal.

"Until EMV is widely implemented or criminals’ caches of stolen card numbers are exhausted, counterfeit cards will proliferate in fraudsters’ last-ditch effort to use them at the POS," the report warned. "Extra caution is advised in light of this trend."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
10/5/2014 | 1:38:46 AM
Re: Will there ever be a solution?
Here's the silver bullet.

Let me say, up front, that the whole architecture of the authentication/payment cycle is wrong.

Here's an easily implemented solution, which will leave the hackers with a lot of useless data, even if the retailer persists in storing card data in the transaction log, or a network snooper monitors all transactions:

1. The customer presents a credit card to the POS terminal

2. The (hopefully encrypted) card number is sent to the card validation server

3. Each customer has a secret keyword, like 'julyfourth', which only he knows, and which is never transmitted.

4. The validation server sends an alphabet, and a random selection of 1's and 0's to the POS terminal

5. The customer selects a pattern of 1's and 0's which match his keyword. This metadata is sent back to the validation server.

6. The validation server also selects a pattern of 1's and 0's which match the keyword.

7. If the two patterns match, the transaction is approved, if not, it's fraud.

Notice that, since the challenge is random, anyone trying to re-use it. will fail.

Additionally, if this system is used for card-not-present transactions, it is equally effective, and it doesn't rely on chips, biometrics, multi-factor authentication.

Oh, yes. It'll protect ATM transactions from spy cameras, network snoopers and other fraud attempts.
User Rank: Strategist
10/1/2014 | 6:46:38 AM
Re: Will there ever be a solution?
Even with EMV and tokenization, there are still points in the overall business cycle where card data could be compromised. There are no silver bullets. That's why there are well over 200 controls in the PCI Data Security Standard.
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/30/2014 | 4:14:06 PM
Will there ever be a solution?
As this problem continues to grow I wouldn't be surprised if in 5 years we must use a token in conjunction with our credit cards.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...